India’s Digital Personal Data Protection (DPDP) became law as of August 11, 2023 focusing on personal data management, consent, cross-border transfers, and establishing the Data Protection Board.
While inspired by the European Union’s GDPR, India's approach showcases distinct deviations. These contrasts encompass factors such as more specific criteria for data processing, broad exceptions pertaining to government entities, the government's regulatory prerogative to refine the legislation, and the authority to exempt particular organizations or classes of organizations from core obligations.
DPDP stands out for introducing duty-of-care verbiage like "Data Fiduciaries" for Controllers and "Data Principals" for Data Subjects, raising the age of parental consent to 18, and requiring speedy data breach reporting requirements with fines of up to INR 250 crore. Interestingly, the DPDP does not itemize special (sensitive) categories of personal data or set heightened requirements for their care.
Additionally, the government possesses an unconventional capacity to request information from Fiduciaries, the Board, and "intermediaries," and can also curtail public access to certain information within "computer resources."
It's important to underscore that significant aspects of the law require further clarity from the government and courts. And while the newly created Data Protection Board of India can provide input and assess compliance violations, it has not been granted formal rulemaking authority.
As we await confirmation of the act's effective date and for Indian authorities to work through how the law should work in practice, we thought it helpful to further compare the DPDP to the GDPR, below.